Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AUSTRAC compliance for VASPs: what crypto teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Australia’s crypto market is projected to reach 11.38 million users by 2025, while regulatory uncertainty and tighter AUSTRAC scrutiny are pushing VASPs toward stronger AML/CFT controls, structured enrolment, and better records, according to SumSub. For IAM and compliance teams, the lesson is that identity proofing, monitoring, and evidence retention now sit inside the same governance problem.

NHIMG editorial — based on content published by SumSub: Practical Guide to AML/CFT Compliance for VASPs under AUSTRAC

Questions worth separating out

Q: How should VASPs build AML/CFT controls that hold up under AUSTRAC scrutiny?

A: VASPs should build AML/CFT controls as an end-to-end identity governance process, not a collection of isolated checks.

Q: Why do crypto onboarding and compliance often drift apart in regulated environments?

A: They drift apart when onboarding is designed for speed while compliance is designed for proof.

Q: What breaks when VASPs treat verification as a one-time check?

A: A one-time check breaks the link between identity assurance and ongoing risk management.

Practitioner guidance

  • Separate compliance ownership from operational execution Assign clear owners for AUSTRAC enrolment, AML/CTF program maintenance, suspicious transaction review, and record retention.
  • Tie customer due diligence to ongoing transaction monitoring Make sure identity proofing outcomes feed into monitoring rules and escalation logic.
  • Require durable evidence trails from verification workflows Choose verification processes that preserve reviewable records for decisions, exceptions, and rechecks.

What's in the full article

SumSub's full guide covers the operational detail this post intentionally leaves for the source:

  • A 6-step AML/CTF compliance template that moves from AUSTRAC enrolment to ongoing recordkeeping.
  • Guidance on choosing a verification partner based on compliance, fraud prevention, and onboarding scale.
  • Examples from crypto operators showing how verification workflows were applied in practice.
  • A practical checklist for aligning suspicious transaction reporting with controlled evidence capture.

👉 Read SumSub's practical guide to AML/CFT compliance for Australian VASPs →

AUSTRAC compliance for VASPs: what crypto teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Compliance pressure in crypto is really an identity governance problem. AUSTRAC obligations do not fail because firms lack policy language. They fail when enrolment, due diligence, suspicious transaction reporting, and recordkeeping are not governed as one lifecycle. For VASPs, the control question is whether identity evidence can be traced from first contact through audit review. Practitioners should treat AML/CFT as an identity control plane, not a legal afterthought.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

A question worth separating out:

Q: Who is accountable when a crypto firm cannot prove AML/CFT compliance?

A: Accountability sits with the organisation’s control owners, not the verification tool. Regulated firms need named responsibility for program design, evidence retention, and review escalation so that compliance can be defended during audit, investigation, or enforcement review.

👉 Read our full editorial: Australia’s crypto AML/CFT guide shows compliance pressure rising



   
ReplyQuote
Share: